cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
609
Views
5
Helpful
7
Replies

NAT over ipsec VPN

spacemky
Level 1
Level 1

Hello Cisco Pros,

I have a router with a single internet-routable IP address, and an ipsec VPN connection via a Tunnel0 interface. I'd like to setup NAT through the router such that traffic arriving from anywhere on the Internet on port 80 goes to a different host across the ipsec VPN on port 8080. I've tried a lot of different configuration examples, and can't seem to get it right. Is this at all possible?

I've tried:

interface Tunnel0

ip address 192.168.1.1 255.255.255.252

ip nat inside

interface FastEthernet 1/0

ip address 12.34.56.78 255.255.255.252

ip nat outside

ip nat inside source static tcp 192.168.1.2 8080 12.34.56.78 80

(where 192.168.1.2 is a host across the VPN tunnel, and 12.34.56.78 is the external IP address of F1/0)

Nothing I'm trying is working. Thanks for your suggestions!

7 Replies 7

yagnesh_tel
Level 1
Level 1

Could you break down your issue using IP addresses? From which interface packets enter and exit?

Sure, packets will enter through the F1/0 interface, and will be destined for 12.34.56.78 (or a similar IP if I cannot use F1/0's address). I'd then like to NAT the traffic using Tunnel0's IP address.

So It works like this:

Internet User --> 12.34.56.78:8080 --> goes through vpn to 192.168.1.2:80.

Hope this makes sense.

What is the source address of tunnel0? Are you are sourcing tunnel from f1/0?

Yes, I am sourcing it from F1/0:

I can change where traffic is sourced from, if necessary. I just need Internet users to be NAT'ted over the IPsec VPN tunnel somehow.... Thanks!

interface Tunnel0

ip address 192.168.1.1 255.255.255.252

ip nat inside

ip virtual-reassembly

tunnel source 12.34.56.78

tunnel destination 23.45.67.89

tunnel mode ipsec ipv4

tunnel protection ipsec profile P1

I think that's the reason why it's not working right now. Here 'ip nat inside' and 'ip nat outside' are virtually present on the same physical interface f1/0.

Is it possible for you to use Tunnel source as interface other than f1/0?

Sure, I also have a F1/1 interface I could use. Let me try that and see if it fixes anything. Thanks for your replies!

I have a host on the other side of the VPN tunnel. I do not want this host to see the true source of the outside global host. No matter how I set up NAT, the outside global's source IP always comes through to my inside local host.

How (using NAT), can I have traffic from an Internet host flow through the router, so that my inside host only sees an IP request coming from the router?

Thanks!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: